Data Execution Prevention.....
XP and 2k3 has a protection mode...currently on XPs they are protecting
"Windows" program but you can enable it to protect all programs.
There is hardware DEP and software DEP.
Chatter on the listserves are that software DEP "may" depending on your
installed programs be enough to stop this. Some blogs [since when did
Blogs become security guidanceauthority? Let's analyze some of this
Chicken Little guidance shall we?] are stating that with certain third
party apps loaded this may not be true. [i.e. Irvanview image viewer]
http://sunbeltblog.blogspot.com/
*I have software DEP enabled on my system, does this help mitigate the
vulnerability?*
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that
is designed to reduce exploits of exception handling mechanisms in
Windows. By default software-enforced DEP applies to core operating
system components and services. This vulnerability can be mitigated by
enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on
your computer”, see the product documentation
<http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx>.
Noah Eiger wrote:
Sorry. Maybe it's too much holiday partying: DEP?
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, December 29, 2005 5:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ZeroDay-WMF
True...but right now the vector they are using is WMF so it mitgates
that one.
Risk analysis and for right now ...that's the steps I took for my
office. [I'm thinking about DEP enabling everyone as I'm seeing no
impact here and I'm the only one running Irfanview
Now whether I do more tomorrow.... ask me tomorrow :-) I'm still not
ready to unregister dll's..... yet....
{Cool thing about SBSland is the Change Management department around
here is really agreeable with whatever I decide to do}
Crawford, Scott wrote:
This has been discussed on Jespers blog, but the main problem is that
blocking wmf files doesn't mitigate the risk because simply renaming a
file to .jpg or .gif will still cause it to be parsed by the same .dll
which will treat it as the file type it really is.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, December 29, 2005 7:08 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ZeroDay-WMF
What did I do?
1. Fired up Trend and blocked the wmf files
2. Fired up ISA and blocked WMF images
3. On my high risk workstations [uh...mine] enabled DEP for all
programs [and seriously considering doing this for all as I'm 100% borg
XP sp2 here]
How to Configure Memory Protection in Windows XP SP2:
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.ms
px
3. Ensured that the a/v dats were covering it
4. Informed all of what was going on and telling them to 'be careful'.
I have not unregistered that dll as to me... ripping that out like that
is last resort. You will break a lot of stuff.
E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : So if you have
ISA here are some things you can do:
http://msmvps.com/blogs/bradley/archive/2005/12/28/79908.aspx
E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : Blocking those
WMF's at the email border:
http://msmvps.com/blogs/bradley/archive/2005/12/28/79925.aspx
E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : WMF and blocking:
http://msmvps.com/blogs/bradley/archive/2005/12/29/79966.aspx
Noah Eiger wrote:
Susan -
I examined the steps you provided for unregistering shimgvw.dll but
notes at
http://billpstudios.blogspot.com/2005/12/zero-day-wmf-exploit.html
seem to indicate that this will only help if you get an infected
attachment in email. Or did I mis-read that?
Also, if this is a good stop-gap, are you deploying it via script/GPO?
At least until MS patches?
Thanks.
-- nme
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date:
12/29/2005
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/